On Thu, Jun 19, 2014 at 02:56:49PM +0200, mvadkert wrote: > Hi everyone, > > I just came across a contradiction between the man page of AuthenticationMethods and the accepted > methods list. > > According to the sshd_config manual page: > """ > AuthenticationMethods > > Specifies the authentication methods that must be successfully completed for a user to be granted > access. This option must be followed by one or more comma-separated lists of authentication method > names. Successful authentication requires completion of every method in at least one of these lists. > """" > > But in reality the also an empty list is accepted by sshd (servconf.c:1605). > > What is the reason to accept an empty method list? Does the man page need an update? > Hi, I believe that this is a bug in the parsing code which doesn't handle empty list correctly. The following patch fixes it. --- a/servconf.c +++ b/servconf.c @@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line, break; case sAuthenticationMethods: + if (cp == NULL || *cp == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); if (*activep && options->num_auth_methods == 0) { while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_auth_methods >= -- Petr Lautrbach _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev